The expiry of compute_engine.IDTokenCredentials is in the local timezone, but it's then compared to utc. This means that an expired token may be used. Expiry of all other credential types are correctly in UTC.

Environment details

• OS: Linux
• Python version: 3.11
• pip version: 23.1.2
• google-auth version: 2.19.1
• Tested on GKE 1.24.12-gke.500 with Workload Identity, but AFAICT it would also fail anywhere on GCP

Steps to reproduce

Run on a GCE VM (or a GKE pod).

Configure Python to use some timezone far from UTC, eg export TZ=America/New_York.

import google.auth.compute_engine.credentials
import google.auth.transport.requests

r = google.auth.transport.requests.Request()
creds = google.auth.compute_engine.credentials.IDTokenCredentials(r, target_audience="foo", use_metadata_identity_endpoint=True)
creds.refresh(r)

print(f"expiry: {creds.expiry}")
print(f"expired: {creds.expired}")

Here, expired incorrectly reports false, because it compares the local expiry with utcnow.

Another failure mode is in timezones with a positive offset (eg Europe/Prague), where the token will be treated as not-expired even after it actually expired.

All other credential types use utc for everything, so they don't have the problem. Even the compute engine OAuth2 credentials in the same file (ie just Credentials, not IDTokenCredentials).

Should be a very simple fix, to use UTC datetime everywhere.